#303 clang static analyser reports bugs
Hi Trevor
I was able to build clang from source and use the ccc-analyzer utility to analyse covered. It reports 81 bugs in total, but 53 are dead code (so can't cause trouble) and 21 are null pointer dereferences (which would cause segfault). That leaves 7 which might cause silent malfunction.
As usual with static analysis, there will be false positives. Here's my take on what it found.
Here's the raw tabulation:
Bug Group Bug Type File Line Path Length
Logic error Garbage return value param.c 667 2 View Report
Logic error Pass-by-value argument in function call is undefined comb.c 2387 8 View Report
Logic error Pass-by-value argument in function call is undefined rank.c 1121 2 View Report
Logic error Result of operation is garbage or undefined exclude.c 1272 3 View Report
Logic error Result of operation is garbage or undefined exclude.c 1245 3 View Report
Logic error Result of operation is garbage or undefined exclude.c 1219 3 View Report
Logic error Result of operation is garbage or undefined generator.c 2034 8 View Report
The first one looks real: param.c contains inst_parm_add which returns iparm, which is a local variable.
Here's one which is essentially a missing test , in gen_item.c
1030 if( child != NULL((void*)0) ) {
4
Assuming pointer value is null
5
Taking false branch
1031 param_resolve_inst( child );
1032 }
1033 if( child->funit->suppl.part.type != FUNIT_MODULE0 ) {
6
Dereference of null pointer
Similarly in comb.c it sees an operation on an uninit char * tmp if the case statement falls through the default branch:
2380 switch( exp->op ) {
6
Control jumps to the 'default' case at line 2385
2381 case EXP_OP_AND : tmp = strdup_safe( " ^^^^^^^^^^^^^ - &" )strdup_safe1(" ^^^^^^^^^^^^^ -
&","comb.c",2381,profile_index
); break;
2382 case EXP_OP_OR : tmp = strdup_safe( " ^^^^^^^^^^^^^ - |" )strdup_safe1(" ^^^^^^^^^^^^^ -
|","comb.c",2382,profile_index
); break;
2383 case EXP_OP_LAND : tmp = strdup_safe( " ^^^^^^^^^^^^^ - &&" )strdup_safe1(" ^^^^^^^^^^^^^ - &&","comb.c",2383
,profile_index); break;
2384 case EXP_OP_LOR : tmp = strdup_safe( " ^^^^^^^^^^^^^ - ||" )strdup_safe1(" ^^^^^^^^^^^^^ -
||","comb.c",2384,profile_index
); break;
2385 default : break;
7
Execution continues on line 2387
2386 }
2387 size = strlen( tmp ) + (eid_size - 1) + 5;
8
Pass-by-value argument in function call is undefined
In rank.c the trouble is an attempted cleanup in the exception handler, of an uninit var:
1121 rank_dealloc_comp_cdd_cov( comp_cov );
(This object would have been allocated just after the point where the exception is thrown.)
The first report in exclude.c is the case of an empty list:
1265 int arc_index;
1
Variable 'arc_index' declared without an initial value
1266
1267 instl = db_list[curr_db]->inst_head;
1268 while( (instl != NULL((void*)0)) && ((arc_index = instance_find_fsm_arc_index_by_exclusion_id( instl->inst, id,
found_fsm, found_funit )) == -1) ) {
2
Loop condition is false. Execution continues on line 1272
1269 instl = instl->next;
1270 }
1271
1272 if( arc_index != -1 ) {
3
The left operand of '!=' is a garbage value
and the other two are very similar pieces of code
Finally, in generator.c, in generator_gen_size, if the left expression is NULL it's mishandled (but only for a default unhandled exp->op)
1848 switch( exp->op ) {
3
Control jumps to the 'default' case at line 2007
2007 default :
2008 {
2009 bool set = FALSE;
2010 if( exp->left != NULL((void)0) ) {
4
Taking false branch
2011 lexp = generator_gen_size( exp->left, funit, &lnumber );
2012 if( exp->right == NULL((void)0) ) {
2013 if( lexp == NULL((void)0) ) {
2014 number = lnumber;
2015 } else {
2016 size = lexp;
2017 }
2018 set = TRUE;
2019 }
2020 }
2021 if( exp->right != NULL((void)0) ) {
5
Taking false branch
2022 rexp = generator_gen_size( exp->right, funit, &rnumber );
2023 if( exp->left == NULL((void)0) ) {
2024 if( rexp == NULL((void)0) ) {
2025 number = rnumber;
2026 } else {
2027 size = rexp;
2028 }
2029 set = TRUE;
2030 }
2031 }
2032 if( !set ) {
6
Taking true branch
2033 if( (lexp == NULL((void)0)) && (rexp == NULL((void)0)) ) {
7
Taking true branch
2034 *number = (lnumber > rnumber) ? lnumber : rnumber;
8
The left operand of '>' is a garbage value
I have submitted changes in the stable CVS tree that addresses/fixes all clang reported errors/warnings. These will be available in the 0.7.9 stable release.